Authentication Katarina Valalikova @KValalikova k.valalikova@evolveum.com 1
Agenda History Multi-factor, adaptive authentication SSO, SAML, OAuth, OpenID Connect Federation 2
Who am I? Ing. Katarina Valaliková FIIT STU BA Evolveum s.r.o. Java Developer Identity Engineer 3
Back to the topic 4
Authentication Verification if the user is who he claims to be. 5
Authentication Three main factors: Something that I know - password, passphrase, Something that I have - token, certificate, Something that I am - biometrics, 6
Authentication The most usual use case username & password 7
Brief history 8
Authentication First used in 60s in 20th century - MIT Username and password saved in plain text on the filesystem Hashing Multi-factor authentication Adaptive authentication 9
Authentication <Cthon98> hey, if you type in your pw, it will show as stars <Cthon98> ********* see! <AzureDiamond> hunter2 <AzureDiamond> doesnt look like stars to me <Cthon98> <AzureDiamond> ******* <Cthon98> thats what I see <AzureDiamond> oh, really? <Cthon98> Absolutely <AzureDiamond> you can go hunter2 my hunter2-ing hunter2 <AzureDiamond> haha, does that look funny to you? <Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as ******* <AzureDiamond> thats neat, I didnt know IRC did that <Cthon98> yep, no matter how many times you type hunter2, it will show to us as ******* <AzureDiamond> awesome! <AzureDiamond> wait, how do you know my pw? <Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw <AzureDiamond> oh, ok. 10
Multi-factor authentication Combination of more than 1 factors something that I know something that I have something that I am 11
Adaptive authentication Risk-factor authentication Deciding if the user needs to use additional authentication Example: internet banking 12
Adaptive authentication Device recognition Do I log in with the known device? 13
Adaptive authentication Device recognition Threat services IP Whitelist IP Blacklist 14
Adaptive authentication Device recognition Threat services Directory lookup Checking user s standard profile against known directory 15
Adaptive authentication Device recognition Threat services Dictionary lookup Geo-location Checking typical user location where he logs in from 16
Adaptive authentication Device recognition Threat service Dictionary lookup Geo-location Geo-velocity If I log in from Kosice, I won t log in from USA in 10mins. 17
Adaptive authentication Device recognition Threat service Dictionary lookup Geo-location Geo-velocity Geo-Fencing Geographic barriers 18
Adaptive authentication Device recognition Threat service Dictionary lookup Geo-location Geo-velocity Geo-fencing Behavioural biometrics Suspicious user s keystroke and mouse movements 19
Adaptive authentication Device recognition Threat services Dictionary lookup Geo-location Geo-velocity Geo-fencing Behavioural biometrics Identity Governance Decisions made according to the user s access rights - risk factor 20
Adaptive authentication Device recognition Threat service Dictionary lookup Geo-location Geo-velocity Geo-fencing Behavioural biometrics Identity Governance User behaviour analytics How does the user usually behave? 21
HTTP Authentication (rfc2617) simple challenge-response authentication mechanism used by a server to challenge a client request used by a client to provide authentication information 22
HTTP Authentication (rfc2617) extensible, case-insensitive token to identify authentication scheme comma-separated list of attribute-value pairs carrying the parameters necessary for achieving authentication 23
HTTP Authentication (rfc2617) 401 (Unauthorized) response is used by a server to challenge the authorization of a user agent Response must include WWW-Authenticate header containing at least one applicable challenge 24
HTTP Authentication (rfc2617) Responsibility for parsing WWW-Authentication is left for the user agents, bacause WWW-Authentication header can contain more than one challenge Challenge can contain comma-separated list of authentication parameters 25
HTTP Authentication (rfc2617)./newissue.sh POST -d {issue} http://jira/rest/issue Authentication required HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm= jira./newissue.sh -u katka -p password POST -u katka:password -d {issue} http://jira/rest/issue Successful HTTP/1.1 200 OK 26
Single Sign-On Unified log in process for different applications Log in once and share it with others Just one username and password 27
Single Sign-On Service provider - Relying party end application which the user wants to access authentication is left to Identity Provider 28
Single Sign-On Identity provider service providing authentication for user creates a session for logged in user 29
Single Sign-On Session information about logged in user for some period of time logged-in user doesn t need to log in again 30
Single Sign-On SP IdP 31
Single Sign-On 1. SP IdP 1. User who hasn t been authenticated yet wants to use the application (SP - Service Provider) 32
Single Sign-On 1. SP 2. IdP 2. Application which is a part of SSO solution verifies from IdP if the user was authenticated before. 33
Single Sign-On 1. SP 2. 3. IdP 3. IdP found out that the user hasn t been logged in yet. User is redirected to the login page. 34
Single Sign-On 1. SP 2. 3. 4. Credentials IdP 4. User fill in his credentials and submit the login form. 35
Single Sign-On 1. SP 5. 2. 3. 4. Credentials Session IdP 5. IdP successfully authenticates user. User is redirected to the origin application (SP). IdP creates a SSO session for the user. 36
Single Sign-On 1. SP 5. 2. 3. 4. Credentials Session IdP SP2 37
Single Sign-On 1. SP 5. 2. 3. 4. Credentials Session IdP 6. SP2 38
Single Sign-On 1. SP 5. 2. 3. 4. Credentials Session IdP 6. SP2 7. 39
Single Sign-On 1. SP 5. 2. 3. 4. Credentials Session IdP 6. SP2 8. 7. 40
SAML Security Assertion Markup Language XML-based framework for describing and exchanging security information between online partners Expressed in the form of portable SAML assertions Applications across security domain boundaries can trust OASIS SAML standard defines precise syntax and rules for: requesting creating communicating using SAML assertions 41
SAML Different drives behind of adoption of the SAML standard: Web SSO - standard vendor-independent grammar and protocol for transferring information about a user from one web server to another Federated identity - to agree on and establish a common, shared name identifier to refer to the user in order to share information about the user across the organizational boundaries. Web services and other industry standards - profile for how to use SAML's rich assertion constructs within a WS-Security security token that can be used, for example, to secure web service SOAP message exchanges 42
SAML Participants SAML Asserting party System entity making SAML assertion Sometimes called SAML authority SAML Relying party System entity using received assertion 43
SAML System entities can operate in variety of SAML roles define SAML services and protocol messages they will use defined assertions they will generate or consume for SSO - Identity Provider, Service Provider 44
SAML Assertion Heart of the SAML assertion is subject user, computer, organization to be authenticated referred also as a principal 45
SAML 46
SAML Example 47
OAuth 2.0 Security protocol used to protect a large number of web APIs Used to connect websites to one another Powers native and mobile applications connecting to cloud services 48
OAuth 2.0 Delegation protocol a means of letting someone who controls a resource allow a software application to access that resource on their behalf without impersonating them 49
OAuth 2.0 as specified in RFC 6749: The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. 50
51
52
OAuth 2.0 Components Resource owner - has access to the API and can delegate access to the API Protected resource - component that the resource owner has access to. Client - the piece of the software that accesses the protected resource on behalf of the resource owner Authorization server - issues OAuth access tokens 53
OAuth 2.0 - Obtaining authorization Resource owner User s agent Authorization server Client 54
OAuth 2.0 - Obtaining authorization Resource owner 1. User s agent 1. Authorization server Client 55
OAuth 2.0 - Obtaining authorization Resource owner 2. 1. 2. User s agent 1. Authorization server Client 56
OAuth 2.0 - Obtaining authorization Resource owner 2. 1. User s agent 1. 3. 2. 3. Authorization server Client 57
OAuth 2.0 - Obtaining authorization Resource owner 2. 1. User s agent 1. 3. 2. 3. Authorization server 4. Client 58
OAuth 2.0 - Obtaining authorization Resource owner 2. 1. User s agent 1. 3. 2. 3. Authorization server Client 4. 5. 59
Social login 60
OpenID Connect simple identity layer on top of the OAuth 2.0 enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server enables Clients to obtain basic profile information about the End-User in an interoperable and REST-like manner OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process 61
Federation 62
Thanks for the attention. Any questions? 63
Summary Authentication HTTP Authentication Multi-factor authentication Adaptive authentication SSO SAML OAuth 2.0 OpenID Connect Federation 64
Diplomové a bakalárske práce Smart audit log analysis Role Mining Visualisation of Identity Management system configuration Intelligent identity information processing Command line tool Mobile or self-service application 65